The way to make Google Workspace HIPAA compliant is to subscribe to a Workspace Plan that supports HIPAA compliance, agree to the terms of Google’s Business Associate Addendum, and configure the core services included in the Workspace plan to mitigate the risk of reasonably anticipated threats and impermissible disclosures.
Google Workspace is a popular productivity, communication, and collaboration suite which includes services such as Gmail, Drive, and Calendar. Although these services are free for personal users, when a healthcare provider uses them for business, the healthcare provider has to comply with the HIPAA Security and Privacy Rules for Protected Health Information (PHI).
This means the healthcare provider has to subscribe to a Workspace plan with capabilities that meet the requirements of the Security Rule, configure the capabilities to mitigate threats and vulnerabilities identified in a risk assessment, and train members of the workforce on how to use the core services in the Workspace plan in compliance with the Privacy Rule.
Which Google Workspace Plans are HIPAA Compliant?
There are sixteen Google Workspace plans for businesses, one personal plan for solopreneurs, and four “Google One” personal plans that contain a similar selection of services to Workspace plans. None of the personal plans support HIPAA compliance, and only nine of the business plans have the capabilities that meet the requirements of the Security Rule:
- Google Workspace Business Starter.
- Google Workspace Business Standard.
- Google Workspace Business Plus.
- Google Workspace Enterprise Starter.
- Google Workspace Enterprise Standard.
- Google Workspace Enterprise Plus.
- Google Workspace Frontline Starter.
- Google Workspace Frontline Standard.
- Google Workspace for Nonprofits.
All the above plans include the same core services. The differences between the plans are the “included functionality” (*) of each core service, limits on the number user licenses (i.e., Business plan subscriptions are limited to a maximum of three hundred users per healthcare provider), and the eligibility criteria for Frontline and Nonprofit plans.
(*) The “included functionality” of core services is the degree of control that healthcare providers have over certain features. For example, the level of endpoint management in the Business Starter plan is “fundamental”, whereas the level of endpoint management in the Business Plus plan is “advanced”. This may make a difference to some healthcare providers.
Which Workspace Plan is Right For Your Organization?
The way to determine which Workspace plan is right for your organization is to conduct a risk assessment. The risk assessment should be used to identify reasonably anticipated threats to the confidentiality, integrity, and availability of electronic PHI and reasonably anticipated impermissible disclosures of PHI due to human error and malicious insiders.
From the results of the assessment, you should compile a Google Workspace HIPAA compliant checklist which lists the risks of adopting Workspace for your productivity, communication, and collaboration needs. The checklist should be compared against the plans your organization qualifies for to identify which is most likely to reduce threats to a reasonable level.
For some healthcare providers, this may mean subscribing to a more comprehensive plan than appears necessary at first glance. For example, a healthcare provider with a workforce of less than three hundred may subscribe to an Enterprise plan in order to access a plan with Data Loss Prevention capabilities, support for S/MIME encryption, or more control over shared Drives.
Making Google Workspace HIPAA Compliant
Once the most appropriate plan has been selected, the process for making Google Workspace HIPAA compliant is to agree to the terms of the Business Associate Addendum and configure the core services included in the Workspace plan to mitigate the likelihood of the risks identified in the risk assessment occurring and reduce the likelihood of an impermissible disclosure.
Google’s Business Associate Addendum should be reviewed alongside the Workspace terms of Service before the Addendum is signed. Particular attention should be paid to the “Customer Obligations” in both documents and the possible suspension of service if a healthcare provider fails to control how Workspace services are used by members of the workforce.
To help healthcare providers configure core services, Google has published a HIPAA Implementation Guide. The Guide provides non-binding advice on how to make Google Workspace HIPAA compliant and offers suggestions about how to monitor account activity and set up security notifications. Note: some capabilities mentioned in the Guide do not exist in all plans.
How to Use Workspace Services in Compliance with HIPAA
One of the challenges of adopting Workspace as a productivity, communication, and collaboration suite is that many members of the workforce will already be using services such as Gmail, Drive, and Calendar in their personal interactions with family members and friends. Often, little consideration is given to the security and privacy of data in personal interactions.
Due to the risk of workforce members transferring personal security and privacy habits to the workplace, healthcare providers must provide HIPAA training on using Workspace services in compliance with HIPAA. It is also necessary to impose sanctions whenever a HIPAA email policy is violated to reinforce the need to respect the security and privacy of PHI.
Healthcare providers that encounter challenges selecting the right Workspace plan, making Google Workspace HIPAA compliant, or training members of the workforce on using Workspace services in compliance with HIPAA are advised to seek advice from an independent compliance professional.
